On Wed, 30 May 2018 14:17:19 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Not from my experience. > Tapes have less moving parts and a way longer lifetime than (rotating) > disks (spinning rust). OK, ymmv but LTO works reliably here. >Your experience is different from mine ;-) Either the backup didn't work at all (mostly because of the backup program, but occasionally because of a tape or minor drive problem) or the drive would, without notice, just decide to die. Mind you this was on a Unix machine running the OS that decided it owned Linux ;-)> >> The idmap stuff scares me the most ;-) > > > > Why ? Once you get your head around it, you will probably wonder why > > yourself ;-) > > Why? because I had to readjust that >3 times at another site, every > time was like "this is correct" and after a while something else > popped up.There are three main winbind backends, but only two are really used on Unix domain members, the 'ad' and the 'rid' backends. Which you use is really down to a simple choice, do you want to add posix attrs to AD or not. If you don't want to add anything to AD, then use the 'rid' backend. If you do add the posix attrs to AD, then use the 'ad' backend. Having decided which backend, you then have to decide on the ranges to use. If you use the 'rid' backend, then good ranges would be 3000-7999 for the '*' domain and 10000-whatever_upper_limit_you_decide for your DOMAIN (there is a slight problem with this on Debian, they thought it was a good idea to use the ID 65534 for nobody/nogroup, but you can work around this). This will lead to to user & group IDs starting from '11000' If you use the 'ad' backend, things are a little different, you probably can use the same '*' range as the 'rid' backend, but the DOMAIN range will depend on the posix attrs in AD, so if the lowest uidNumber or gidNumber in AD is '10000', you could start at '10000' Things to note: If you place the '*' range below the 'DOMAIN' range, you can easily expand the 'DOMAIN' range by increasing the upper range. A user can have the same ID as a group, they will never be mixed up. A 'rid' user with the ID 11000 is very very unlikely to be the same user as an 'ad' user with the same ID. i.e. If you run the 'ad' backend on one Unix domain member, but the 'rid' backend on another, your users will have different ID numbers. If you do not have the 'netbios name' line in smb.conf, you can use the smb.conf on all Unix domain members in the domain and you will always get the same numeric IDs. Rowland
Am 2018-05-30 um 15:01 schrieb Rowland Penny via samba:> There are three main winbind backends, but only two are really used on > Unix domain members, the 'ad' and the 'rid' backends. Which you use is > really down to a simple choice, do you want to add posix attrs to AD or > not. If you don't want to add anything to AD, then use the 'rid' > backend. If you do add the posix attrs to AD, then use the 'ad' > backend.I want to keep things as close to as they are with the current outdated 3.6.25 setup. This is why the former admin didn't update, I guess ;-) So I think "rid" here. I want kind of "read only" access to ADS.> Having decided which backend, you then have to decide on the ranges to > use. If you use the 'rid' backend, then good ranges would be 3000-7999 > for the '*' domain and 10000-whatever_upper_limit_you_decide for your > DOMAIN (there is a slight problem with this on Debian, they thought it > was a good idea to use the ID 65534 for nobody/nogroup, but you can > work around this). This will lead to to user & group IDs starting from > '11000' > > If you use the 'ad' backend, things are a little different, you > probably can use the same '*' range as the 'rid' backend, but the > DOMAIN range will depend on the posix attrs in AD, so if the lowest > uidNumber or gidNumber in AD is '10000', you could start at '10000' > > Things to note: > If you place the '*' range below the 'DOMAIN' range, you can easily > expand the 'DOMAIN' range by increasing the upper range. > > A user can have the same ID as a group, they will never be mixed up. > > A 'rid' user with the ID 11000 is very very unlikely to be the same user > as an 'ad' user with the same ID. i.e. If you run the 'ad' backend on > one Unix domain member, but the 'rid' backend on another, your users > will have different ID numbers.And you think this is easy? ;-) testparm shows: # testparm -sv | grep idmap ldap idmap suffix idmap backend = tdb idmap cache time = 604800 idmap negative cache time = 120 idmap uid idmap gid idmap config * : range = 10000 - 20000 idmap config * : backend = tdb So I would love to "convert" the existing ranges to new parameters, without guessing or trying something. the two lines idmap uid idmap gid should be removed, I assume> If you do not have the 'netbios name' line in smb.conf, you can use > the smb.conf on all Unix domain members in the domain and you will > always get the same numeric IDs.It is there but afaik there is only this one domain member server right now. thanks so far, Stefan
On Wed, 30 May 2018 15:26:37 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2018-05-30 um 15:01 schrieb Rowland Penny via samba: > > > There are three main winbind backends, but only two are really used > > on Unix domain members, the 'ad' and the 'rid' backends. Which you > > use is really down to a simple choice, do you want to add posix > > attrs to AD or not. If you don't want to add anything to AD, then > > use the 'rid' backend. If you do add the posix attrs to AD, then > > use the 'ad' backend. > > I want to keep things as close to as they are with the current > outdated 3.6.25 setup. This is why the former admin didn't update, I > guess ;-) > > So I think "rid" here. I want kind of "read only" access to ADS. > > > Having decided which backend, you then have to decide on the ranges > > to use. If you use the 'rid' backend, then good ranges would be > > 3000-7999 for the '*' domain and > > 10000-whatever_upper_limit_you_decide for your DOMAIN (there is a > > slight problem with this on Debian, they thought it was a good idea > > to use the ID 65534 for nobody/nogroup, but you can work around > > this). This will lead to to user & group IDs starting from '11000' > > > > If you use the 'ad' backend, things are a little different, you > > probably can use the same '*' range as the 'rid' backend, but the > > DOMAIN range will depend on the posix attrs in AD, so if the lowest > > uidNumber or gidNumber in AD is '10000', you could start at '10000' > > > > Things to note: > > If you place the '*' range below the 'DOMAIN' range, you can easily > > expand the 'DOMAIN' range by increasing the upper range. > > > > A user can have the same ID as a group, they will never be mixed up. > > > > A 'rid' user with the ID 11000 is very very unlikely to be the same > > user as an 'ad' user with the same ID. i.e. If you run the 'ad' > > backend on one Unix domain member, but the 'rid' backend on > > another, your users will have different ID numbers. > > And you think this is easy? ;-)Well yes, once you get your head around it ;-)> > testparm shows: > > > # testparm -sv | grep idmap > > ldap idmap suffix > idmap backend = tdb > idmap cache time = 604800 > idmap negative cache time = 120 > idmap uid > idmap gid > idmap config * : range = 10000 - 20000 > idmap config * : backend = tdb > > So I would love to "convert" the existing ranges to new parameters, > without guessing or trying something.If the last two lines are actually in your smb.conf on disk and you want use the 'rid' backend, then set the something like this will work: idmap config DOMAIN : range =310000-40000 idmap config DOMAIN : backend = rid> > the two lines > > idmap uid > idmap gid > > should be removed, I assumeI would love to see how you remove them ;-) I would image that the smb.conf fragment is from a very long smb.conf 'testparm -v' means print every line in smb.conf including all the defaults. Can I suggest you just run 'cat /etc/samba/smb.conf' Rowland